本文将mark下Intel UMIP(User-Mode Instruction Prevention)的相关notes。

Background

SIDT指令用于读取IDTR的内容到内存,常用于虚拟机检测和安全分析,且可在用户态执行。

Overview

What

User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. If enabled, it prevents the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0. If these instructions were executed while in CPL > 0, user space applications could have access to system-wide settings such as the global and local descriptor tables, the task register and the interrupt descriptor table.

These are the instructions covered by UMIP:

  • SGDT - Store Global Descriptor Table
  • SIDT - Store Interrupt Descriptor Table
  • SLDT - Store Local Descriptor Table
  • SMSW - Store Machine Status Word
  • STR - Store Task Register

这五条指令都是 “S开头 + 描述符/状态寄存器名”,作用是 “Store(存储)系统寄存器到内存/寄存器”,且全部可在用户态执行,是窥探系统底层状态的“后门窗口”。

Why

UMIP则可以防止用户态执行上述命令,堵住了用户态窥探系统底层状态的“后门窗口”。

参考资料:

  1. Intel SDM
  2. x86: enable User-Mode Instruction Prevention